Legal For

LAW FIRM

 

Focused on relationships, driven by results

 

Contact us to learn more about LEGAL FOR services and about how we can help you reach your business goals.

 

 

E-mail: office@legal-for.ro
17 Virgil Madgearu street
300019 Timisoara, Romania

ARTICLE 35 – DATA PROTECTION IMPACT ASSESSMENT

18 Nov ARTICLE 35 – DATA PROTECTION IMPACT ASSESSMENT

Posted at 13:06h in by

An Analytical Overview in Light of the Guidelines Adopted and Revised on 4 October 2017

Two of the fundamental principles regulated by Article 5 of the General Data Protection Regulation — namely the principle of transparency of data processing and the principle of the controller’s accountability with regard to the manner in which processing is carried out (a principle which includes the obligation to implement appropriate technical and organisational measures to guarantee and demonstrate compliance with legal requirements in the activity carried out) — are of particular importance in the context of data protection impact assessments.

In the context established by these two aforementioned principles, paragraph 1 of Article 35 of the same Regulation provides that “where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data”.

This assessment, referred to in the original English version of the Regulation as a “data protection impact assessment” (hereinafter referred to briefly as a DPIA), has generated numerous discussions, as it was not clear in practice in which situations it is mandatory and in which it is not.

From the perspective of the directions set out in the guidelines adopted on 4 April 2017 and revised 7 months later (hereinafter referred to as the Guidelines) by WP29 (now replaced by the EDPB), as the opinions and recommendations of this authority remain relevant in practice.

  1. The Obligation to Carry Out a DPIA

Pursuant to Article 35 of the Regulation and the repeated emphasis in the Guidelines, a DPIA must be carried out prior to processing and only in situations where such processing is likely to result in a high risk to the rights and freedoms of data subjects.

In this regard, an important aspect is that the aforementioned article does not refer strictly to the rights of the data subject as regulated by the Regulation, but also to other rights such as freedom of expression, liberty, conscience and religion, the right to non-discrimination, etc., and therefore this aspect must also be taken into account at the time of assessment in order to decide whether or not there is an obligation to carry out a DPIA.

In order to assist data controllers, the Regulation indicates at paragraph 3 of the same article some of the situations in which a DPIA is mandatory, namely:

  1. where processing involves a systematic and extensive evaluation of personal aspects relating to a natural person, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; or
  1. where processing is carried out on a large scale and concerns special categories of data; or
  1. where processing involves systematic monitoring on a large scale of a publicly accessible area.

Moreover, pursuant to the recommendations of the European authority in the analysed Guidelines and paragraphs 89 and 91 of the Regulation’s preamble, a fourth example of a situation in which carrying out a DPIA is certainly necessary can be identified, namely where a new technological product is to be launched on the market.

Equally, in order to provide as clear a regulatory framework as possible and to avoid contentious situations, the Regulation establishes the obligation of the national supervisory authority for personal data processing to draw up and publish a list of types of processing operations that are subject to the requirement to carry out a data protection impact assessment. Such a list will not, however, be exhaustive and will need to be submitted for review by the EDPB. The competent authority in Romania (i.e. the ANSPDCP) submitted that list in July 2019, with the opinion containing the EDPB’s recommendations regarding its content having been adopted on 25 September 2018.

Acknowledging the wide variety of practical situations that may arise, it was recognised at European level that guidelines were needed that could be taken into account in particular cases where it is not clear whether carrying out a DPIA is mandatory.

Thus, the 9 criteria set out in the Guidelines, which indicate the existence of a high risk to the rights and freedoms of data subjects, are:

  1. Conducting evaluations or classifications (e.g. online stores that create user profiles based on their browsing behaviour on the site, not limited to offering targeted advertising or short daily updates);
  2. Automated decision-making;
  3. Systematic monitoring;
  4. Processing of sensitive data or data revealed from highly personal documents (e.g. hospitals or private investigators — but not lawyers or individual medical practices, these categories of controllers being exempt according to the guidance developed by WP29);
  5. Processing of data on a large scale (a concept not defined by the Regulation, but explained with examples in another opinion of WP29);
  6. Matching or combining datasets;
  7. Processing of data relating to vulnerable persons (e.g. children, employees subject to systematic monitoring, patients in clinical studies, the elderly);
  8. Application of innovative technological or organisational solutions (e.g. use of fingerprinting and facial recognition);
  9. Processing that prevents data subjects from exercising a right or using a service or accessing a contract (e.g. a bank decides whether to refuse or grant a loan following the use of an index from a database).

In many cases, meeting at least two of the criteria listed above will give rise to the obligation to carry out a DPIA, although situations may also arise where even a single criterion has the same effect.

Therefore, a decision not to carry out such an assessment despite the criteria being met will need to be based on well-founded reasons. Furthermore, WP29 considers that in all cases where it is not clear whether a DPIA is mandatory, such an assessment must be carried out.

  1. Contents of the DPIA

Pursuant to Article 35(7) and recitals 84 and 90 of the GDPR, a DPIA shall contain at least:

  1. a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
  2. an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  3. an assessment of the risks to the rights and freedoms of data subjects;
  4. the measures envisaged to address the risks. Any adherence to approved codes of conduct, certifications, attestations, implementation of binding corporate rules will be taken into account and considered as measures to ensure compliance with the provisions of the Regulation.

A DPIA may cover a single data processing activity or a set of similar processing operations presenting similar high risks, with the note that in the latter case, in accordance with WP29’s recommendations, there should be a documented justification for the decision to carry out a single DPIA.

  1. Review of the DPIA

The DPIA must be reviewed each time the processing risks, implementation conditions or purposes change, taking into account the fact that data security must be maintained in a continuously changing environment.

Accordingly, carrying out a DPIA is a continuous process throughout the course of data processing, and not a one-time exercise.

  1. Competence to Carry Out a DPIA

With regard to the persons responsible for carrying out a DPIA, it should be noted that the controller bears direct responsibility. In addition, a DPIA may be carried out by two joint controllers, in which case the role and responsibilities of each of them in relation to that processing shall be expressly indicated.

Carrying out a DPIA may be performed by one of the controller’s employees with competence in this area, or by a contracted third party, or even by the processor, but the data protection officer designated by the controller must in all cases be informed, and their recommendations must be taken into account.

An important aspect in this regard is also the provisions of Article 35(9) of the GDPR, under which the controller shall, where appropriate, seek the views of data subjects or their representatives regarding the intended processing, by various means such as generic questionnaires. If the outcome of the consultation differs from the controller’s decision, the controller’s decision must be justified, just as in cases where the controller considers that consultation of data subjects is not necessary — for example, because it would affect the confidentiality of the controller’s business plan or would involve disproportionate effort.

Furthermore, when a data controller finds that it cannot implement sufficient security measures to reduce the risk to the rights of data subjects to an acceptable level, consultation with the supervisory authority is required.

  1. Publication of the DPIA

Although an analysis of the provisions of the Regulation might suggest that publication of the DPIA after it has been carried out is not mandatory, consideration must be given to WP29’s recommendation to publish at least parts of the DPIA (a summary or only the conclusions) in order to ensure transparency of data processing and to build trust with data subjects.

The obligation to communicate the DPIA to the supervisory authority where consultation with that authority is required remains in any event applicable.